Exploiting Broadcast Information in Cellular Networks

Exploiting Broadcast Information in Cellular Networks

Let Me Answer That For You: Exploiting Broadcast Information in Cellular Networks Nico Golde, Kévin Redon, and Jean-Pierre Seifert, Technische Universität Berlin and Deutsche Telekom Innovation Laboratories This paper is included in the Proceedings of the 22nd USENIX Security Symposium. August 14–16, 2013 • Washington, D.C., USA ISBN 978-1-931971-03-4 Open access to the Proceedings of the 22nd USENIX Security Symposium is sponsored by USENIX Let Me Answer That For You: Exploiting Broadcast Information in Cellular Networks Nico Golde, K´evin Redon, Jean-Pierre Seifert Technische Universitat¨ Berlin and Deutsche Telekom Innovation Laboratories {nico, kredon, jpseifert}@sec.t-labs.tu-berlin.de Abstract comBB [20, 25, 45]. These open source projects consti- tute the long sought and yet publicly available counter- Mobile telecommunication has become an important part parts of the previously closed radio stacks. Although all of our daily lives. Yet, industry standards such as GSM of them are still constrained to 2G network handling, re- often exclude scenarios with active attackers. Devices cent research provides open source software to tamper participating in communication are seen as trusted and with certain 3G base stations [24]. Needless to say that non-malicious. By implementing our own baseband those projects initiated a whole new class of so far uncon- firmware based on OsmocomBB, we violate this trust sidered and practical security investigations within the and are able to evaluate the impact of a rogue device with cellular communication research, [28, 30, 34]. regard to the usage of broadcast information. Through our analysis we show two new attacks based on the pag- Despite the recent roll-out of 4G networks, GSM re- ing procedure used in cellular networks. We demonstrate mains the dominant cellular standard in many countries. that for at least GSM, it is feasible to hijack the trans- Moreover, as most new LTE devices are backwards com- mission of mobile terminated services such as calls, per- patible to GSM, this older standard will not vanish soon form targeted denial of service attacks against single sub- at all, but rather complement 3G and LTE connectivity scribers and as well against large geographical regions in areas with pure GSM coverage. Several other rea- within a metropolitan area. sons such as worse indoor coverage and the lower num- ber of deployed UMTS and LTE base stations contribute to this. Additionally, telecommunication providers have 1 Introduction already begun to reuse their existing GSM infrastructure within non-voice scenarios which require a much slower While past research on Global System for Mobile Com- data communication than modern network technologies munications (GSM) mainly focused on theoretical re- are capable of. This is especially the case for Machine search [17, 18], a very recent research direction chal- to Machine (M2M) or so-called Internet of Things (IoT) lenged the fundamental GSM security assumptions with communications over GSM. Corresponding applications respect to the practical availability of open GSM equip- will soon become parts of our daily life and will make us ment. The assumptions have been made on both sides of more dependent than ever on GSM, cf. [19, 35]. Given the radio part of the cellular network. One side of the this pervasive GSM usage, it is very important to evalu- radio link is the Base Station System (BSS) consisting of ate the security offered by a standard which is more than the Base Transceiver Station (BTS) and the Base Station 20 years old and is based on assumptions, many of which Controller (BSC), while the other side of the radio part is no longer hold true. the modem or the so-called baseband of a cellular phone. This paper continues the challenge of the mobile Traditionally, both radio stacks have been carefully kept security assumption that certain active attacks can be out of reach for any kind of malicious activities. safely excluded from the threat model. Towards this But a booming market for used telecommunication goal we show novel attacks against mobile terminated equipment, cheap software defined radios, leakage of services. While the root cause also exists in newer some hardware specifications, and a well-trained open standards such as UMTS or LTE, we demonstrate the source community finally broke up this closed cellular impact of it in commercially deployed GSM networks. world. The overall community work culminated in three To the best of our knowledge, the limitations of currently open source projects: OpenBSC, OpenBTS, and Osmo- available hard- and software would make it very difficult USENIX Association 22nd USENIX Security Symposium 33 2.1 GSM Infrastructure Despite the complexity of a complete GSM mobile net- work architecture [3], only a few entities are relevant to this work. In the following paragraph, we provide the necessary background on the infrastructure components of relevance to this research. Figure 1 illustrates the ar- chitecture and connections between these components: Figure 1: Simplified GSM network infrastructure. • BTS: The Base Transceiver Station is a phone’s ac- cess point to the network. It relays radio traffic to to test these attacks in UMTS and LTE networks. Prior and from the mobile network and provides access to publishing this research, we responsibly notified the to the network over-the-air. A set of BTSs is con- respective standard organisations via a carrier of our trolled by a Base Station Controller (BSC) and is research results. part of a Base Station System (BSS). In summary, we make the following main contributions: • MS: The Mobile Station is the mobile device inter- acting with the mobile operator network. It com- • We present the paging response attack, a novel and prises hardware and software required for mobile practical attack against mobile terminated services. communication (baseband processor, SIM card, and a GSM stack implementation). The MS interacts • We show the feasibility and the implementation of with the BTS over a radio link, also known as the a mobile phone firmware which is capable to steal a Um interface. In this paper, the mobile phone of a short message over-the-air and to perform denial of victim is often referred to as MS. We will also use service attacks against mobile terminated services the term MS, user, subscriber, phone, and mobile in GSM networks. Furthermore, we evaluated these device interchangeably. attacks to be present in major European operator networks. • MSC: The Mobile Switching Center [6] is a core network entity responsible for routing services, • We eventually assess the boundary conditions for a such as calls and short messages, through the net- large-scale paging response attack in order to cause work. It utilizes components from BSSs to establish denial of service conditions within a large geo- connections to mobile devices, organizes hand-over graphical area of a major city. procedures and connects the cellular network to the Public Switched Telephone Network (PSTN). The remainder of the paper is structured as follows. Section 2 provides an overview of the 3GPP GSM net- • VLR: The Visitor Location Register maintains loca- work infrastructure, as well as details about logical chan- tion and management data for mobile subscribers nels and paging protocol procedures required to under- roaming in a specific geographical area handled by stand our attacks; Section 3 details our novel attack that an MSC. It acts as a local database cache for vari- exploits the paging procedure as used in GSM; Sec- ous subscriber information obtained from the cen- tion 4 describes characteristics of location areas in a tral Home Location Register (HLR), e.g., the mo- large metropolitan area and the respective requirements bile identity. A subscriber can only be present in to perform a large-scale denial of service attack against one VLR at a time. Each of the areas served has these regions; Section 5 discusses two different counter- an associated unique identifier, the Location Area measures to address the attacks; Section 6 provides an Code (LAC) [3,8]. As soon as a phone leaves a cer- overview of related research; Section 7 concludes our re- tain geographical area called Location Area (LA), it search. has to perform the Location Update procedure [4] to notify the network of this event. 2 Background and Overview 2.2 GSM Logical Channels This section briefly describes the GSM cellular network infrastructure. We continue to explain the important The available GSM frequencies are shared among a num- types and functions of logical channels. Furthermore, ber of mobile carriers. Each of the GSM frequency bands we depict the protocol details required to understand the is divided into multiple carrier frequencies by means of basis of our attack. Frequency Division Multiple Access (FDMA). A BTS 34 22nd USENIX Security Symposium USENIX Association serves at least one associated carrier frequencies identi- call or receiving an incoming service always re- fied by the Absolute Radio-Frequency Channel Number quires a phone to setup a dedicated signaling chan- (ARFCN). The ARFCN provides a dedicated pair of up- nel beforehand. link and downlink frequencies for receiving and trans- AGCH: The Access Grant Channel provides a mitting data over the Um interface [10]. Because the ra- • dio frequency is shared among a number of subscribers, downlink channel used by the BTS to transmit as- GSM uses Time Division Multiple Access (TDMA) as signment messages that notify mobile stations of channel access method and divides physical channels assigned channel details. A successful channel re- provided by the ARFCN into 8 time slots. A sequence of quest on the RACH will result in an Immediate As- 8 consecutive time slots is called a TDMA frame. Mul- signment message on the AGCH. These assignment tiple TDMA frames form a multiframe. It consists either messages contain the required configuration param- of 51 or 21 TDMA frames (respectively control frames eters that enable the MS to tune to the requested or traffic frames).

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    17 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us